PCI DSS Scoping & Segmentation
                     PCI
DSS ScoPING & 
SEGMENTATION
Date:- 23.06.2020
Introduction
to PCI DSS
► Organizations are struggling to understand the application of PCI DSS   
controls and identify systems that need to be secured. 
► The presentation details the ins and outs of PCI DSS Security Standards and Compliance 
for particular businesses
► The presentation will work as a guide for organizations to identify systems that need to 
be included “in-scope” for PCI DSS
► It will also assist to understand how segmentation can help reduce the number of 
systems that require PCI DSS controls
WHAT
IS PCI DSS
 ►The Payment Card Industry Data Security Standard (PCI DSS) is a Security Standard formed in the year 
2004 by 5 major credit card companies namely;
- Visa
- MasterCard
- Discover
- JCB
- American Express. 
►Governed by the Payment Card Industry Security Standard Council (PCI SSC), the policy intends to optimize and secure credit, debit 
and cash card transactions.
►The Security Standard helps protect cardholders against data fraud, data theft and misuse of personal information.
 ►PCI DSS applies to all entities who are involved in the card payment 
process including merchants, processors, issuers and service providers. WHO NEEDS 
►It is also applicable to all entities who store, process, or transmit TO BE PCI DSS 
cardholder data and/or sensitive authentication data. 
COMPLIANT?
►PCI-DSS Compliance requires defining scope and identifying systems that 
fall “in scope” for compliance.
►It is important to note that Scope cannot be defined based on business priorities 
and budget. 
►Given below are systems to which PCI DSS Security requirement may be applicable.
►System Components
►Systems within the Network
►Third Party systems
►Every PCI DSS security
requirements/control apply to people, processes, and technologies that interact
with or impact the security of CHD directly or indirectly.
OBJECTIVES
OF PCI DSS Maintain  
Maintain
Vulnerability 
an 
Management 
COMPLIANCE Information Program Security 
Policy
Protect PCI DSS Regularly
Cardholder Monitor and Test 
Data Compliance Networks
Implement
Build
Strong 
and Maintain a 
Access 
Secure 
Control 
Network
Measures
Understanding
►The PCI Security Standards Council (SCC) in the year 2016 
PCI DSS Scoping December released a supplemental guide for scoping and
network segmentation.
& Segmentation ►The purpose of this guide was to help organizations 
determine systems “in scope” for PCI DSS and understand 
how
segmentation can reduce the number of in-scope systems.
►The objective is to help organizations protect their data from 
potential risks/threats, which involve targeting system with 
fewer security controls and get access to sensitive card
holder data for a possible higher security systems.
PCI DSS SCOPING
►The components that define 
The PCI Security Standards Scope are:-
Council (PCI SSC) defines ►Storage Any system that stores 
“scope” as that part of ►Processing processes, or transmits 
your ►Transmitting payment card details fall 
environment which ►Systems/services/vendors that can within the scope for PCI 
must meet the control impact the security of the Compliance.
objectives stated in the Cardholder Data Environment 
PCI Data Security Standard (CDE) or the Card Holder Data 
(DSS) (CHD).
PCI DSS 
Scope 
PCI DSS SCOPE 
CateCATgEGORIEoS ries
CONNECTED-TO-SYSTEM
OUT-OF-SCOPE
IN-SCOPE IN SCOPE
Systems that are directly involved, Systems
that do not store, process, or transmit 
connected or impact the security of the Systems that directly or indirectly connect or 
cardholder. have access to the CDE
cardholder data (CHD) or sensitive
( For example a system connected via a authentication data (SAD).
jump server.
Systems storing, process or Systems that do not fall in the same network 
transmitting Cardholder Data (CHD) and System that impacts the configuration or segment as systems that store,
process, or transmit CHD or SAD.
Sensitive security of the CDE (For example a
Authentication Data (SAD). server providing name resolution (DNS) for Systems that do not have direct and indirect 
the CDE). 
access to any system in the CDE.
Systems that do not store, process, or Systems that provide security services to the 
transmit Cardholder Data, but fall in Systems that do not directly or indirectly CDE (For example identification
impact security control of CDE.
the same or adjacent network.. & authentication server like an Active 
Directory). Systems that do not meet or fall in the criteria 
described as connected-to or
Systems that support PCI DSS requirements security- impacting systems.
or provide segmentation of the CDE from 
out-of-scope systems.
Network
Segmentation
►Network Segmentation means dividing a network into smaller sections for better control over 
the flow of traffic across network and restrict confidential data to a specific network segment.
►The process helps segregate systems and network that stores/processes/transmits cardholder 
data from rest of the computing processes/information.
►Network Segmentation is not a mandate but a recommended strategy under PCI DSS.
►PCI DSS Network Segmentation is one method an organization can use to scope system 
controls for PCI Compliance.
►Segmentation helps organization implement necessary controls on the network or system for 
security purposes.
How does Network Segmentation 
affect PCI Scope?
►As per PCI DSS, for the system to be considered “out-of-scope” for PCI DSS, the system component in question 
must be systematically and accurately segmented from the Cardholder Data Environment (CDE). 
►The network segmentation should be done in a way that even if the “out-of-scope” system component is compromised; it will not impact the 
security of the CDE. 
►Network segmentation helps reduce “systems in scope”, and thereby; 
       -Reduces the overall Compliance cost.
       -Complexity of PCI DSS Compliance process. 
       -Limit the risk of handling highly sensitive data in your environment.
       -Repercussions of Breach/Data theft/Data misuse. 
Why is Ensures company only store sensitive cardholder 
data in specific locations 
and limit access to only 
Network individuals who need it
Segmentation Reduces the scope 
Reduce costs 
and complexity of 
essential? card-processing associated with your networks and Data PCI Assessment
Management Process
BENEFITS OF 
NETWORK 
SEGMENTATION
Prevent “out-of-
Improves Data 
scope” systems from 
overlapping with security and 
systems in the Reduces the 
Cardholder Data possibility of data 
Environment breach
Helps to ease in 
spotting anomalies 
within each distinct 
network
Conclusion
►When it comes to scoping for PCI DSS, the best approach is to assume that everything is in scope until 
verified. 
►Determining that a system is “out-of-scope” does not imply that the system is secure and needs no 
protection.
►A system that does not fall “in-scope” for PCI DSS may still pose a threat to the CDE and to the entire 
organization.
►Payment card data details are one set of confidential data that needs to be secured. However, companies 
also have a legal responsibility to protect and secure other personal data of their clients as well.
►As a comprehensive measure for securing all confidential data, PCI DSS is an appropriate measure to secure 
not just the data of payment cardholder, but also other sensitive and confidential data in an organization’s 
network/system.
►Implementing best security control practice will help organizations protect their infrastructure, and other 
system components that are deemed to be “out-of-scope” as per PCI DSS requirements
Thank YOU
 Website : https://www.vistainfosec.com/
Email : [email protected]
Social:
Get In Touch